MyFavMirrors/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2024-12-27 14:45:52 -05:00
Code Issues Packages Projects Releases Wiki Activity
d99864629f
headscale/development/ref/acls/index.html

129 lines
61 KiB
HTML
Raw Blame History

<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content="An open source, self-hosted implementation of the Tailscale control server."><meta name=author content="Headscale authors"><link href=https://juanfont.github.io/headscale/development/ref/acls/ rel=canonical><link href=../tls/ rel=prev><link href=../dns/ rel=next><link rel=icon href=../../assets/favicon.png><meta name=generator content="mkdocs-1.6.1, mkdocs-material-9.5.47"><title>ACLs - Headscale</title><link rel=stylesheet href=../../assets/stylesheets/main.6f8fc17f.min.css><link rel=stylesheet href=../../assets/stylesheets/palette.06af60db.min.css><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"><style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style><script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script><meta property=og:type content=website><meta property=og:title content="ACLs - Headscale"><meta property=og:description content="An open source, self-hosted implementation of the Tailscale control server."><meta property=og:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/acls.png><meta property=og:image:type content=image/png><meta property=og:image:width content=1200><meta property=og:image:height content=630><meta content=https://juanfont.github.io/headscale/development/ref/acls/ property=og:url><meta name=twitter:card content=summary_large_image><meta name=twitter:title content="ACLs - Headscale"><meta name=twitter:description content="An open source, self-hosted implementation of the Tailscale control server."><meta name=twitter:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/acls.png></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#acls-use-case-example class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <div data-md-color-scheme=default data-md-component=outdated hidden> </div> <header class=md-header data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../.. title=Headscale class="md-header__button md-logo" aria-label=Headscale data-md-component=logo> <img src=../../logo/headscale3-dots.svg alt=logo> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> Headscale </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> ACLs </span> </div> </div> </div> <form class=md-header__option data-md-component=palette> <input class=md-option data-md-color-media data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo aria-label="Switch to dark mode" type=radio name=__palette id=__palette_0> <label class="md-header__button md-icon" title="Switch to dark mode" for=__palette_1 hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg> </label> <input class=md-option data-md-color-media data-md-color-scheme=slate data-md-color-primary=indigo data-md-color-accent=indigo aria-label="Switch to light mode" type=radio name=__palette id=__palette_1> <label class="md-header__button md-icon" title="Switch to light mode" for=__palette_0 hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg> </label> </form> <script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script> <label class="md-header__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query required> <label class="md-search__icon md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </label> <nav class=md-search__options aria-label=Search> <a href=javascript:void(0) class="md-search__icon md-icon" title=Share aria-label=Share data-clipboard data-clipboard-text data-md-component=search-share tabindex=-1> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg> </a> <button type=reset class="md-search__icon md-icon" title=Clear aria-label=Clear tabindex=-1> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg> </button> </nav> <div class=md-search__suggest data-md-component=search-suggest></div> </form> <div class=md-search__output> <div class=md-search__scrollwrap tabindex=0 data-md-scrollfix> <div class=md-search-result data-md-component=search-result> <div class=md-search-result__meta> Initializing search </div> <ol class=md-search-result__list role=presentation></ol> </div> </div> </div> </div> </div> <div class=md-header__source> <a href=https://github.com/juanfont/headscale title="Go to repository" class=md-source data-md-component=source> <div class="md-source__icon md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 448 512"><!-- Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg> </div> <div class=md-source__repository> juanfont/headscale </div> </a> </div> </nav> </header> <div class=md-container data-md-component=container> <nav class=md-tabs aria-label=Tabs data-md-component=tabs> <div class=md-grid> <ul class=md-tabs__list> <li class=md-tabs__item> <a href=../.. class=md-tabs__link> Welcome </a> </li> <li class=md-tabs__item> <a href=../../about/faq/ class=md-tabs__link> About </a> </li> <li class=md-tabs__item> <a href=../../setup/requirements/ class=md-tabs__link> Setup </a> </li> <li class=md-tabs__item> <a href=../../usage/getting-started/ class=md-tabs__link> Usage </a> </li> <li class="md-tabs__item md-tabs__item--active"> <a href=../configuration/ class=md-tabs__link> Reference </a> </li> </ul> </div> </nav> <main class=md-main data-md-component=main> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component=sidebar data-md-type=navigation> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label=Navigation data-md-level=0> <label class=md-nav__title for=__drawer> <a href=../.. title=Headscale class="md-nav__button md-logo" aria-label=Headscale data-md-component=logo> <img src=../../logo/headscale3-dots.svg alt=logo> </a> Headscale </label> <div class=md-nav__source> <a href=https://github.com/juanfont/headscale title="Go to repository" class=md-source data-md-component=source> <div class="md-source__icon md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 448 512"><!-- Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg> </div> <div class=md-source__repository> juanfont/headscale </div> </a> </div> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../.. class=md-nav__link> <span class=md-ellipsis> Welcome </span> </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_2> <label class=md-nav__link for=__nav_2 id=__nav_2_label tabindex=0> <span class=md-ellipsis> About </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_2_label aria-expanded=false> <label class=md-nav__title for=__nav_2> <span class="md-nav__icon md-icon"></span> About </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../about/faq/ class=md-nav__link> <span class=md-ellipsis> FAQ </span> </a> </li> <li class=md-nav__item> <a href=../../about/features/ class=md-nav__link> <span class=md-ellipsis> Features </span> </a> </li> <li class=md-nav__item> <a href=../../about/clients/ class=md-nav__link> <span class=md-ellipsis> Clients </span> </a> </li> <li class=md-nav__item> <a href=../../about/help/ class=md-nav__link> <span class=md-ellipsis> Getting help </span> </a> </li> <li class=md-nav__item> <a href=../../about/releases/ class=md-nav__link> <span class=md-ellipsis> Releases </span> </a> </li> <li class=md-nav__item> <a href=../../about/contributing/ class=md-nav__link> <span class=md-ellipsis> Contributing </span> </a> </li> <li class=md-nav__item> <a href=../../about/sponsor/ class=md-nav__link> <span class=md-ellipsis> Sponsor </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_3> <label class=md-nav__link for=__nav_3 id=__nav_3_label tabindex=0> <span class=md-ellipsis> Setup </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_3_label aria-expanded=false> <label class=md-nav__title for=__nav_3> <span class="md-nav__icon md-icon"></span> Setup </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../setup/requirements/ class=md-nav__link> <span class=md-ellipsis> Requirements and Assumptions </span> </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_3_2> <label class=md-nav__link for=__nav_3_2 id=__nav_3_2_label tabindex=0> <span class=md-ellipsis> Installation </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_3_2_label aria-expanded=false> <label class=md-nav__title for=__nav_3_2> <span class="md-nav__icon md-icon"></span> Installation </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../setup/install/official/ class=md-nav__link> <span class=md-ellipsis> Official releases </span> </a> </li> <li class=md-nav__item> <a href=../../setup/install/community/ class=md-nav__link> <span class=md-ellipsis> Community packages </span> </a> </li> <li class=md-nav__item> <a href=../../setup/install/container/ class=md-nav__link> <span class=md-ellipsis> Container </span> </a> </li> <li class=md-nav__item> <a href=../../setup/install/cloud/ class=md-nav__link> <span class=md-ellipsis> Cloud </span> </a> </li> <li class=md-nav__item> <a href=../../setup/install/source/ class=md-nav__link> <span class=md-ellipsis> Build from source </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../../setup/upgrade/ class=md-nav__link> <span class=md-ellipsis> Upgrade </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_4> <label class=md-nav__link for=__nav_4 id=__nav_4_label tabindex=0> <span class=md-ellipsis> Usage </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_4_label aria-expanded=false> <label class=md-nav__title for=__nav_4> <span class="md-nav__icon md-icon"></span> Usage </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../usage/getting-started/ class=md-nav__link> <span class=md-ellipsis> Getting started </span> </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_4_2> <label class=md-nav__link for=__nav_4_2 id=__nav_4_2_label tabindex=0> <span class=md-ellipsis> Connect a node </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_4_2_label aria-expanded=false> <label class=md-nav__title for=__nav_4_2> <span class="md-nav__icon md-icon"></span> Connect a node </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../usage/connect/android/ class=md-nav__link> <span class=md-ellipsis> Android </span> </a> </li> <li class=md-nav__item> <a href=../../usage/connect/apple/ class=md-nav__link> <span class=md-ellipsis> Apple </span> </a> </li> <li class=md-nav__item> <a href=../../usage/connect/windows/ class=md-nav__link> <span class=md-ellipsis> Windows </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_5 checked> <label class=md-nav__link for=__nav_5 id=__nav_5_label tabindex> <span class=md-ellipsis> Reference </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_5_label aria-expanded=true> <label class=md-nav__title for=__nav_5> <span class="md-nav__icon md-icon"></span> Reference </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../configuration/ class=md-nav__link> <span class=md-ellipsis> Configuration </span> </a> </li> <li class=md-nav__item> <a href=../oidc/ class=md-nav__link> <span class=md-ellipsis> OIDC authentication </span> </a> </li> <li class=md-nav__item> <a href=../exit-node/ class=md-nav__link> <span class=md-ellipsis> Exit node </span> </a> </li> <li class=md-nav__item> <a href=../tls/ class=md-nav__link> <span class=md-ellipsis> TLS </span> </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" type=checkbox id=__toc> <label class="md-nav__link md-nav__link--active" for=__toc> <span class=md-ellipsis> ACLs </span> <span class="md-nav__icon md-icon"></span> </label> <a href=./ class="md-nav__link md-nav__link--active"> <span class=md-ellipsis> ACLs </span> </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class=md-nav__title for=__toc> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class=md-nav__list data-md-component=toc data-md-scrollfix> <li class=md-nav__item> <a href=#acls-use-case-example class=md-nav__link> <span class=md-ellipsis> ACLs use case example </span> </a> </li> <li class=md-nav__item> <a href=#acl-setup class=md-nav__link> <span class=md-ellipsis> ACL setup </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../dns/ class=md-nav__link> <span class=md-ellipsis> DNS </span> </a> </li> <li class=md-nav__item> <a href=../remote-cli/ class=md-nav__link> <span class=md-ellipsis> Remote CLI </span> </a> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_5_8> <label class=md-nav__link for=__nav_5_8 id=__nav_5_8_label tabindex> <span class=md-ellipsis> Integration </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_5_8_label aria-expanded=false> <label class=md-nav__title for=__nav_5_8> <span class="md-nav__icon md-icon"></span> Integration </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../integration/reverse-proxy/ class=md-nav__link> <span class=md-ellipsis> Reverse proxy </span> </a> </li> <li class=md-nav__item> <a href=../integration/web-ui/ class=md-nav__link> <span class=md-ellipsis> Web UI </span> </a> </li> <li class=md-nav__item> <a href=../integration/tools/ class=md-nav__link> <span class=md-ellipsis> Tools </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component=sidebar data-md-type=toc> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class=md-nav__title for=__toc> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class=md-nav__list data-md-component=toc data-md-scrollfix> <li class=md-nav__item> <a href=#acls-use-case-example class=md-nav__link> <span class=md-ellipsis> ACLs use case example </span> </a> </li> <li class=md-nav__item> <a href=#acl-setup class=md-nav__link> <span class=md-ellipsis> ACL setup </span> </a> </li> </ul> </nav> </div> </div> </div> <div class=md-content data-md-component=content> <article class="md-content__inner md-typeset"> <a href=https://github.com/juanfont/headscale/blob/main/docs/ref/acls.md title="Edit this page" class="md-content__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg> </a> <a href=https://github.com/juanfont/headscale/raw/main/docs/ref/acls.md title="View source of this page" class="md-content__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg> </a> <h1>ACLs</h1> <p>Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.</p> <p>For instance, instead of referring to users when defining groups you must use users (which are the equivalent to user/logins in Tailscale.com).</p> <p>Please check <a href=https://tailscale.com/kb/1018/acls/ >https://tailscale.com/kb/1018/acls/</a> for further information.</p> <p>When using ACL's the User borders are no longer applied. All machines whichever the User have the ability to communicate with other hosts as long as the ACL's permits this exchange.</p> <h2 id=acls-use-case-example>ACLs use case example<a class=headerlink href=#acls-use-case-example title="Permanent link">&para;</a></h2> <p>Let's build an example use case for a small business (It may be the place where ACL's are the most useful).</p> <p>We have a small company with a boss, an admin, two developers and an intern.</p> <p>The boss should have access to all servers but not to the user's hosts. Admin should also have access to all hosts except that their permissions should be limited to maintaining the hosts (for example purposes). The developers can do anything they want on dev hosts but only watch on productions hosts. Intern can only interact with the development servers.</p> <p>There's an additional server that acts as a router, connecting the VPN users to an internal network <code>10.20.0.0/16</code>. Developers must have access to those internal resources.</p> <p>Each user have at least a device connected to the network and we have some servers.</p> <ul> <li>database.prod</li> <li>database.dev</li> <li>app-server1.prod</li> <li>app-server1.dev</li> <li>billing.internal</li> <li>router.internal</li> </ul> <p><img alt="ACL implementation example" src=../../images/headscale-acl-network.png></p> <h2 id=acl-setup>ACL setup<a class=headerlink href=#acl-setup title="Permanent link">&para;</a></h2> <p>Note: Users will be created automatically when users authenticate with the headscale server.</p> <p>ACLs have to be written in <a href=https://github.com/tailscale/hujson>huJSON</a>.</p> <p>When <a href=../../usage/getting-started/#register-a-node>registering the servers</a> we will need to add the flag <code>--advertise-tags=tag:&lt;tag1&gt;,tag:&lt;tag2&gt;</code>, and the user that is registering the server should be allowed to do it. Since anyone can add tags to a server they can register, the check of the tags is done on headscale server and only valid tags are applied. A tag is valid if the user that is registering it is allowed to do it.</p> <p>To use ACLs in headscale, you must edit your <code>config.yaml</code> file. In there you will find a <code>policy.path</code> parameter. This will need to point to your ACL file. More info on how these policies are written can be found <a href=https://tailscale.com/kb/1018/acls/ >here</a>.</p> <p>Here are the ACL's to implement the same permissions as above:</p> <div class="language-json highlight"><pre><span></span><code><span id=__span-0-1><a id=__codelineno-0-1 name=__codelineno-0-1 href=#__codelineno-0-1></a><span class=p>{</span>
</span><span id=__span-0-2><a id=__codelineno-0-2 name=__codelineno-0-2 href=#__codelineno-0-2></a><span class=w> </span><span class=c1>// groups are collections of users having a common scope. A user can be in multiple groups</span>
</span><span id=__span-0-3><a id=__codelineno-0-3 name=__codelineno-0-3 href=#__codelineno-0-3></a><span class=w> </span><span class=c1>// groups cannot be composed of groups</span>
</span><span id=__span-0-4><a id=__codelineno-0-4 name=__codelineno-0-4 href=#__codelineno-0-4></a><span class=w> </span><span class=nt>&quot;groups&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-5><a id=__codelineno-0-5 name=__codelineno-0-5 href=#__codelineno-0-5></a><span class=w> </span><span class=nt>&quot;group:boss&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;boss&quot;</span><span class=p>],</span>
</span><span id=__span-0-6><a id=__codelineno-0-6 name=__codelineno-0-6 href=#__codelineno-0-6></a><span class=w> </span><span class=nt>&quot;group:dev&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev1&quot;</span><span class=p>,</span><span class=w> </span><span class=s2>&quot;dev2&quot;</span><span class=p>],</span>
</span><span id=__span-0-7><a id=__codelineno-0-7 name=__codelineno-0-7 href=#__codelineno-0-7></a><span class=w> </span><span class=nt>&quot;group:admin&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;admin1&quot;</span><span class=p>],</span>
</span><span id=__span-0-8><a id=__codelineno-0-8 name=__codelineno-0-8 href=#__codelineno-0-8></a><span class=w> </span><span class=nt>&quot;group:intern&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;intern1&quot;</span><span class=p>]</span>
</span><span id=__span-0-9><a id=__codelineno-0-9 name=__codelineno-0-9 href=#__codelineno-0-9></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-10><a id=__codelineno-0-10 name=__codelineno-0-10 href=#__codelineno-0-10></a><span class=w> </span><span class=c1>// tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.</span>
</span><span id=__span-0-11><a id=__codelineno-0-11 name=__codelineno-0-11 href=#__codelineno-0-11></a><span class=w> </span><span class=c1>// This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)</span>
</span><span id=__span-0-12><a id=__codelineno-0-12 name=__codelineno-0-12 href=#__codelineno-0-12></a><span class=w> </span><span class=c1>// and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)</span>
</span><span id=__span-0-13><a id=__codelineno-0-13 name=__codelineno-0-13 href=#__codelineno-0-13></a><span class=w> </span><span class=nt>&quot;tagOwners&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-14><a id=__codelineno-0-14 name=__codelineno-0-14 href=#__codelineno-0-14></a><span class=w> </span><span class=c1>// the administrators can add servers in production</span>
</span><span id=__span-0-15><a id=__codelineno-0-15 name=__codelineno-0-15 href=#__codelineno-0-15></a><span class=w> </span><span class=nt>&quot;tag:prod-databases&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-0-16><a id=__codelineno-0-16 name=__codelineno-0-16 href=#__codelineno-0-16></a><span class=w> </span><span class=nt>&quot;tag:prod-app-servers&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-0-17><a id=__codelineno-0-17 name=__codelineno-0-17 href=#__codelineno-0-17></a>
</span><span id=__span-0-18><a id=__codelineno-0-18 name=__codelineno-0-18 href=#__codelineno-0-18></a><span class=w> </span><span class=c1>// the boss can tag any server as internal</span>
</span><span id=__span-0-19><a id=__codelineno-0-19 name=__codelineno-0-19 href=#__codelineno-0-19></a><span class=w> </span><span class=nt>&quot;tag:internal&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:boss&quot;</span><span class=p>],</span>
</span><span id=__span-0-20><a id=__codelineno-0-20 name=__codelineno-0-20 href=#__codelineno-0-20></a>
</span><span id=__span-0-21><a id=__codelineno-0-21 name=__codelineno-0-21 href=#__codelineno-0-21></a><span class=w> </span><span class=c1>// dev can add servers for dev purposes as well as admins</span>
</span><span id=__span-0-22><a id=__codelineno-0-22 name=__codelineno-0-22 href=#__codelineno-0-22></a><span class=w> </span><span class=nt>&quot;tag:dev-databases&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>,</span><span class=w> </span><span class=s2>&quot;group:dev&quot;</span><span class=p>],</span>
</span><span id=__span-0-23><a id=__codelineno-0-23 name=__codelineno-0-23 href=#__codelineno-0-23></a><span class=w> </span><span class=nt>&quot;tag:dev-app-servers&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>,</span><span class=w> </span><span class=s2>&quot;group:dev&quot;</span><span class=p>]</span>
</span><span id=__span-0-24><a id=__codelineno-0-24 name=__codelineno-0-24 href=#__codelineno-0-24></a>
</span><span id=__span-0-25><a id=__codelineno-0-25 name=__codelineno-0-25 href=#__codelineno-0-25></a><span class=w> </span><span class=c1>// interns cannot add servers</span>
</span><span id=__span-0-26><a id=__codelineno-0-26 name=__codelineno-0-26 href=#__codelineno-0-26></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-27><a id=__codelineno-0-27 name=__codelineno-0-27 href=#__codelineno-0-27></a><span class=w> </span><span class=c1>// hosts should be defined using its IP addresses and a subnet mask.</span>
</span><span id=__span-0-28><a id=__codelineno-0-28 name=__codelineno-0-28 href=#__codelineno-0-28></a><span class=w> </span><span class=c1>// to define a single host, use a /32 mask. You cannot use DNS entries here,</span>
</span><span id=__span-0-29><a id=__codelineno-0-29 name=__codelineno-0-29 href=#__codelineno-0-29></a><span class=w> </span><span class=c1>// as they&#39;re prone to be hijacked by replacing their IP addresses.</span>
</span><span id=__span-0-30><a id=__codelineno-0-30 name=__codelineno-0-30 href=#__codelineno-0-30></a><span class=w> </span><span class=c1>// see https://github.com/tailscale/tailscale/issues/3800 for more information.</span>
</span><span id=__span-0-31><a id=__codelineno-0-31 name=__codelineno-0-31 href=#__codelineno-0-31></a><span class=w> </span><span class=nt>&quot;hosts&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-32><a id=__codelineno-0-32 name=__codelineno-0-32 href=#__codelineno-0-32></a><span class=w> </span><span class=nt>&quot;postgresql.internal&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;10.20.0.2/32&quot;</span><span class=p>,</span>
</span><span id=__span-0-33><a id=__codelineno-0-33 name=__codelineno-0-33 href=#__codelineno-0-33></a><span class=w> </span><span class=nt>&quot;webservers.internal&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;10.20.10.1/29&quot;</span>
</span><span id=__span-0-34><a id=__codelineno-0-34 name=__codelineno-0-34 href=#__codelineno-0-34></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-35><a id=__codelineno-0-35 name=__codelineno-0-35 href=#__codelineno-0-35></a><span class=w> </span><span class=nt>&quot;acls&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-0-36><a id=__codelineno-0-36 name=__codelineno-0-36 href=#__codelineno-0-36></a><span class=w> </span><span class=c1>// boss have access to all servers</span>
</span><span id=__span-0-37><a id=__codelineno-0-37 name=__codelineno-0-37 href=#__codelineno-0-37></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-38><a id=__codelineno-0-38 name=__codelineno-0-38 href=#__codelineno-0-38></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-39><a id=__codelineno-0-39 name=__codelineno-0-39 href=#__codelineno-0-39></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:boss&quot;</span><span class=p>],</span>
</span><span id=__span-0-40><a id=__codelineno-0-40 name=__codelineno-0-40 href=#__codelineno-0-40></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-0-41><a id=__codelineno-0-41 name=__codelineno-0-41 href=#__codelineno-0-41></a><span class=w> </span><span class=s2>&quot;tag:prod-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-42><a id=__codelineno-0-42 name=__codelineno-0-42 href=#__codelineno-0-42></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-43><a id=__codelineno-0-43 name=__codelineno-0-43 href=#__codelineno-0-43></a><span class=w> </span><span class=s2>&quot;tag:internal:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-44><a id=__codelineno-0-44 name=__codelineno-0-44 href=#__codelineno-0-44></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-45><a id=__codelineno-0-45 name=__codelineno-0-45 href=#__codelineno-0-45></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:*&quot;</span>
</span><span id=__span-0-46><a id=__codelineno-0-46 name=__codelineno-0-46 href=#__codelineno-0-46></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-0-47><a id=__codelineno-0-47 name=__codelineno-0-47 href=#__codelineno-0-47></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-48><a id=__codelineno-0-48 name=__codelineno-0-48 href=#__codelineno-0-48></a>
</span><span id=__span-0-49><a id=__codelineno-0-49 name=__codelineno-0-49 href=#__codelineno-0-49></a><span class=w> </span><span class=c1>// admin have only access to administrative ports of the servers, in tcp/22</span>
</span><span id=__span-0-50><a id=__codelineno-0-50 name=__codelineno-0-50 href=#__codelineno-0-50></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-51><a id=__codelineno-0-51 name=__codelineno-0-51 href=#__codelineno-0-51></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-52><a id=__codelineno-0-52 name=__codelineno-0-52 href=#__codelineno-0-52></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-0-53><a id=__codelineno-0-53 name=__codelineno-0-53 href=#__codelineno-0-53></a><span class=w> </span><span class=nt>&quot;proto&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;tcp&quot;</span><span class=p>,</span>
</span><span id=__span-0-54><a id=__codelineno-0-54 name=__codelineno-0-54 href=#__codelineno-0-54></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-0-55><a id=__codelineno-0-55 name=__codelineno-0-55 href=#__codelineno-0-55></a><span class=w> </span><span class=s2>&quot;tag:prod-databases:22&quot;</span><span class=p>,</span>
</span><span id=__span-0-56><a id=__codelineno-0-56 name=__codelineno-0-56 href=#__codelineno-0-56></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:22&quot;</span><span class=p>,</span>
</span><span id=__span-0-57><a id=__codelineno-0-57 name=__codelineno-0-57 href=#__codelineno-0-57></a><span class=w> </span><span class=s2>&quot;tag:internal:22&quot;</span><span class=p>,</span>
</span><span id=__span-0-58><a id=__codelineno-0-58 name=__codelineno-0-58 href=#__codelineno-0-58></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:22&quot;</span><span class=p>,</span>
</span><span id=__span-0-59><a id=__codelineno-0-59 name=__codelineno-0-59 href=#__codelineno-0-59></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:22&quot;</span>
</span><span id=__span-0-60><a id=__codelineno-0-60 name=__codelineno-0-60 href=#__codelineno-0-60></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-0-61><a id=__codelineno-0-61 name=__codelineno-0-61 href=#__codelineno-0-61></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-62><a id=__codelineno-0-62 name=__codelineno-0-62 href=#__codelineno-0-62></a>
</span><span id=__span-0-63><a id=__codelineno-0-63 name=__codelineno-0-63 href=#__codelineno-0-63></a><span class=w> </span><span class=c1>// we also allow admin to ping the servers</span>
</span><span id=__span-0-64><a id=__codelineno-0-64 name=__codelineno-0-64 href=#__codelineno-0-64></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-65><a id=__codelineno-0-65 name=__codelineno-0-65 href=#__codelineno-0-65></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-66><a id=__codelineno-0-66 name=__codelineno-0-66 href=#__codelineno-0-66></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-0-67><a id=__codelineno-0-67 name=__codelineno-0-67 href=#__codelineno-0-67></a><span class=w> </span><span class=nt>&quot;proto&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;icmp&quot;</span><span class=p>,</span>
</span><span id=__span-0-68><a id=__codelineno-0-68 name=__codelineno-0-68 href=#__codelineno-0-68></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-0-69><a id=__codelineno-0-69 name=__codelineno-0-69 href=#__codelineno-0-69></a><span class=w> </span><span class=s2>&quot;tag:prod-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-70><a id=__codelineno-0-70 name=__codelineno-0-70 href=#__codelineno-0-70></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-71><a id=__codelineno-0-71 name=__codelineno-0-71 href=#__codelineno-0-71></a><span class=w> </span><span class=s2>&quot;tag:internal:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-72><a id=__codelineno-0-72 name=__codelineno-0-72 href=#__codelineno-0-72></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-73><a id=__codelineno-0-73 name=__codelineno-0-73 href=#__codelineno-0-73></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:*&quot;</span>
</span><span id=__span-0-74><a id=__codelineno-0-74 name=__codelineno-0-74 href=#__codelineno-0-74></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-0-75><a id=__codelineno-0-75 name=__codelineno-0-75 href=#__codelineno-0-75></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-76><a id=__codelineno-0-76 name=__codelineno-0-76 href=#__codelineno-0-76></a>
</span><span id=__span-0-77><a id=__codelineno-0-77 name=__codelineno-0-77 href=#__codelineno-0-77></a><span class=w> </span><span class=c1>// developers have access to databases servers and application servers on all ports</span>
</span><span id=__span-0-78><a id=__codelineno-0-78 name=__codelineno-0-78 href=#__codelineno-0-78></a><span class=w> </span><span class=c1>// they can only view the applications servers in prod and have no access to databases servers in production</span>
</span><span id=__span-0-79><a id=__codelineno-0-79 name=__codelineno-0-79 href=#__codelineno-0-79></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-80><a id=__codelineno-0-80 name=__codelineno-0-80 href=#__codelineno-0-80></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-81><a id=__codelineno-0-81 name=__codelineno-0-81 href=#__codelineno-0-81></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:dev&quot;</span><span class=p>],</span>
</span><span id=__span-0-82><a id=__codelineno-0-82 name=__codelineno-0-82 href=#__codelineno-0-82></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-0-83><a id=__codelineno-0-83 name=__codelineno-0-83 href=#__codelineno-0-83></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-84><a id=__codelineno-0-84 name=__codelineno-0-84 href=#__codelineno-0-84></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:*&quot;</span><span class=p>,</span>
</span><span id=__span-0-85><a id=__codelineno-0-85 name=__codelineno-0-85 href=#__codelineno-0-85></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:80,443&quot;</span>
</span><span id=__span-0-86><a id=__codelineno-0-86 name=__codelineno-0-86 href=#__codelineno-0-86></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-0-87><a id=__codelineno-0-87 name=__codelineno-0-87 href=#__codelineno-0-87></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-88><a id=__codelineno-0-88 name=__codelineno-0-88 href=#__codelineno-0-88></a><span class=w> </span><span class=c1>// developers have access to the internal network through the router.</span>
</span><span id=__span-0-89><a id=__codelineno-0-89 name=__codelineno-0-89 href=#__codelineno-0-89></a><span class=w> </span><span class=c1>// the internal network is composed of HTTPS endpoints and Postgresql</span>
</span><span id=__span-0-90><a id=__codelineno-0-90 name=__codelineno-0-90 href=#__codelineno-0-90></a><span class=w> </span><span class=c1>// database servers. There&#39;s an additional rule to allow traffic to be</span>
</span><span id=__span-0-91><a id=__codelineno-0-91 name=__codelineno-0-91 href=#__codelineno-0-91></a><span class=w> </span><span class=c1>// forwarded to the internal subnet, 10.20.0.0/16. See this issue</span>
</span><span id=__span-0-92><a id=__codelineno-0-92 name=__codelineno-0-92 href=#__codelineno-0-92></a><span class=w> </span><span class=c1>// https://github.com/juanfont/headscale/issues/502</span>
</span><span id=__span-0-93><a id=__codelineno-0-93 name=__codelineno-0-93 href=#__codelineno-0-93></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-94><a id=__codelineno-0-94 name=__codelineno-0-94 href=#__codelineno-0-94></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-95><a id=__codelineno-0-95 name=__codelineno-0-95 href=#__codelineno-0-95></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:dev&quot;</span><span class=p>],</span>
</span><span id=__span-0-96><a id=__codelineno-0-96 name=__codelineno-0-96 href=#__codelineno-0-96></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;10.20.0.0/16:443,5432&quot;</span><span class=p>,</span><span class=w> </span><span class=s2>&quot;router.internal:0&quot;</span><span class=p>]</span>
</span><span id=__span-0-97><a id=__codelineno-0-97 name=__codelineno-0-97 href=#__codelineno-0-97></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-98><a id=__codelineno-0-98 name=__codelineno-0-98 href=#__codelineno-0-98></a>
</span><span id=__span-0-99><a id=__codelineno-0-99 name=__codelineno-0-99 href=#__codelineno-0-99></a><span class=w> </span><span class=c1>// servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to</span>
</span><span id=__span-0-100><a id=__codelineno-0-100 name=__codelineno-0-100 href=#__codelineno-0-100></a><span class=w> </span><span class=c1>// applications servers</span>
</span><span id=__span-0-101><a id=__codelineno-0-101 name=__codelineno-0-101 href=#__codelineno-0-101></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-102><a id=__codelineno-0-102 name=__codelineno-0-102 href=#__codelineno-0-102></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-103><a id=__codelineno-0-103 name=__codelineno-0-103 href=#__codelineno-0-103></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:dev-app-servers&quot;</span><span class=p>],</span>
</span><span id=__span-0-104><a id=__codelineno-0-104 name=__codelineno-0-104 href=#__codelineno-0-104></a><span class=w> </span><span class=nt>&quot;proto&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;tcp&quot;</span><span class=p>,</span>
</span><span id=__span-0-105><a id=__codelineno-0-105 name=__codelineno-0-105 href=#__codelineno-0-105></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:dev-databases:5432&quot;</span><span class=p>]</span>
</span><span id=__span-0-106><a id=__codelineno-0-106 name=__codelineno-0-106 href=#__codelineno-0-106></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-107><a id=__codelineno-0-107 name=__codelineno-0-107 href=#__codelineno-0-107></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-108><a id=__codelineno-0-108 name=__codelineno-0-108 href=#__codelineno-0-108></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-109><a id=__codelineno-0-109 name=__codelineno-0-109 href=#__codelineno-0-109></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:prod-app-servers&quot;</span><span class=p>],</span>
</span><span id=__span-0-110><a id=__codelineno-0-110 name=__codelineno-0-110 href=#__codelineno-0-110></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:prod-databases:5432&quot;</span><span class=p>]</span>
</span><span id=__span-0-111><a id=__codelineno-0-111 name=__codelineno-0-111 href=#__codelineno-0-111></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-112><a id=__codelineno-0-112 name=__codelineno-0-112 href=#__codelineno-0-112></a>
</span><span id=__span-0-113><a id=__codelineno-0-113 name=__codelineno-0-113 href=#__codelineno-0-113></a><span class=w> </span><span class=c1>// interns have access to dev-app-servers only in reading mode</span>
</span><span id=__span-0-114><a id=__codelineno-0-114 name=__codelineno-0-114 href=#__codelineno-0-114></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-0-115><a id=__codelineno-0-115 name=__codelineno-0-115 href=#__codelineno-0-115></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-0-116><a id=__codelineno-0-116 name=__codelineno-0-116 href=#__codelineno-0-116></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:intern&quot;</span><span class=p>],</span>
</span><span id=__span-0-117><a id=__codelineno-0-117 name=__codelineno-0-117 href=#__codelineno-0-117></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:dev-app-servers:80,443&quot;</span><span class=p>]</span>
</span><span id=__span-0-118><a id=__codelineno-0-118 name=__codelineno-0-118 href=#__codelineno-0-118></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-119><a id=__codelineno-0-119 name=__codelineno-0-119 href=#__codelineno-0-119></a>
</span><span id=__span-0-120><a id=__codelineno-0-120 name=__codelineno-0-120 href=#__codelineno-0-120></a><span class=w> </span><span class=c1>// We still have to allow internal users communications since nothing guarantees that each user have</span>
</span><span id=__span-0-121><a id=__codelineno-0-121 name=__codelineno-0-121 href=#__codelineno-0-121></a><span class=w> </span><span class=c1>// their own users.</span>
</span><span id=__span-0-122><a id=__codelineno-0-122 name=__codelineno-0-122 href=#__codelineno-0-122></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;boss&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;boss:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-123><a id=__codelineno-0-123 name=__codelineno-0-123 href=#__codelineno-0-123></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev1&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev1:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-124><a id=__codelineno-0-124 name=__codelineno-0-124 href=#__codelineno-0-124></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev2&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev2:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-125><a id=__codelineno-0-125 name=__codelineno-0-125 href=#__codelineno-0-125></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;admin1&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;admin1:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-0-126><a id=__codelineno-0-126 name=__codelineno-0-126 href=#__codelineno-0-126></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;intern1&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;intern1:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>}</span>
</span><span id=__span-0-127><a id=__codelineno-0-127 name=__codelineno-0-127 href=#__codelineno-0-127></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-0-128><a id=__codelineno-0-128 name=__codelineno-0-128 href=#__codelineno-0-128></a><span class=p>}</span>
</span></code></pre></div> </article> </div> <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script> </div> <button type=button class="md-top md-icon" data-md-component=top hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg> Back to top </button> </main> <footer class=md-footer> <nav class="md-footer__inner md-grid" aria-label=Footer> <a href=../tls/ class="md-footer__link md-footer__link--prev" aria-label="Previous: TLS"> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </div> <div class=md-footer__title> <span class=md-footer__direction> Previous </span> <div class=md-ellipsis> TLS </div> </div> </a> <a href=../dns/ class="md-footer__link md-footer__link--next" aria-label="Next: DNS"> <div class=md-footer__title> <span class=md-footer__direction> Next </span> <div class=md-ellipsis> DNS </div> </div> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-copyright> <div class=md-copyright__highlight> Copyright &copy; 2024 Headscale authors </div> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> <div class=md-social> <a href=https://github.com/juanfont/headscale target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 496 512"><!-- Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg> </a> <a href=https://ko-fi.com/headscale target=_blank rel=noopener title=ko-fi.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M2 21h18v-2H2M20 8h-2V5h2m0-2H4v10a4 4 0 0 0 4 4h6a4 4 0 0 0 4-4v-3h2a2 2 0 0 0 2-2V5a2 2 0 0 0-2-2"/></svg> </a> <a href=https://github.com/juanfont/headscale/pkgs/container/headscale target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 640 512"><!-- Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M349.9 236.3h-66.1v-59.4h66.1zm0-204.3h-66.1v60.7h66.1zm78.2 144.8H362v59.4h66.1zm-156.3-72.1h-66.1v60.1h66.1zm78.1 0h-66.1v60.1h66.1zm276.8 100c-14.4-9.7-47.6-13.2-73.1-8.4-3.3-24-16.7-44.9-41.1-63.7l-14-9.3-9.3 14c-18.4 27.8-23.4 73.6-3.7 103.8-8.7 4.7-25.8 11.1-48.4 10.7H2.4c-8.7 50.8 5.8 116.8 44 162.1 37.1 43.9 92.7 66.2 165.4 66.2 157.4 0 273.9-72.5 328.4-204.2 21.4.4 67.6.1 91.3-45.2 1.5-2.5 6.6-13.2 8.5-17.1zm-511.1-27.9h-66v59.4h66.1v-59.4zm78.1 0h-66.1v59.4h66.1zm78.1 0h-66.1v59.4h66.1zm-78.1-72.1h-66.1v60.1h66.1z"/></svg> </a> <a href=https://discord.gg/c84AZQhmpx target=_blank rel=noopener title=discord.gg class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 640 512"><!-- Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M524.531 69.836a1.5 1.5 0 0 0-.764-.7A485 485 0 0 0 404.081 32.03a1.82 1.82 0 0 0-1.923.91 338 338 0 0 0-14.9 30.6 447.9 447.9 0 0 0-134.426 0 310 310 0 0 0-15.135-30.6 1.89 1.89 0 0 0-1.924-.91 483.7 483.7 0 0 0-119.688 37.107 1.7 1.7 0 0 0-.788.676C39.068 183.651 18.186 294.69 28.43 404.354a2.02 2.02 0 0 0 .765 1.375 487.7 487.7 0 0 0 146.825 74.189 1.9 1.9 0 0 0 2.063-.676A348 348 0 0 0 208.12 430.4a1.86 1.86 0 0 0-1.019-2.588 321 321 0 0 1-45.868-21.853 1.885 1.885 0 0 1-.185-3.126 251 251 0 0 0 9.109-7.137 1.82 1.82 0 0 1 1.9-.256c96.229 43.917 200.41 43.917 295.5 0a1.81 1.81 0 0 1 1.924.233 235 235 0 0 0 9.132 7.16 1.884 1.884 0 0 1-.162 3.126 301.4 301.4 0 0 1-45.89 21.83 1.875 1.875 0 0 0-1 2.611 391 391 0 0 0 30.014 48.815 1.86 1.86 0 0 0 2.063.7A486 486 0 0 0 610.7 405.729a1.88 1.88 0 0 0 .765-1.352c12.264-126.783-20.532-236.912-86.934-334.541M222.491 337.58c-28.972 0-52.844-26.587-52.844-59.239s23.409-59.241 52.844-59.241c29.665 0 53.306 26.82 52.843 59.239 0 32.654-23.41 59.241-52.843 59.241m195.38 0c-28.971 0-52.843-26.587-52.843-59.239s23.409-59.241 52.843-59.241c29.667 0 53.307 26.82 52.844 59.239 0 32.654-23.177 59.241-52.844 59.241"/></svg> </a> </div> </div> </div> </footer> </div> <div class=md-dialog data-md-component=dialog> <div class="md-dialog__inner md-typeset"></div> </div> <script id=__config type=application/json>{"base": "../..", "features": ["announce.dismiss", "content.action.edit", "content.action.view", "content.code.annotate", "content.code.copy", "content.tooltips", "navigation.footer", "navigation.indexes", "navigation.sections", "navigation.tabs", "navigation.top", "navigation.tracking", "search.highlight", "search.share", "search.suggest", "toc.follow"], "search": "../../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"alias": true, "provider": "mike"}}</script> <script src=../../assets/javascripts/bundle.83f73b43.min.js></script> </body> </html>
Reference in New Issue View Git Blame Copy Permalink